Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Damn Security Warning!


  • Please log in to reply
3 replies to this topic

#1 EvilTom

EvilTom

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:19 PM

Posted 10 November 2006 - 12:52 AM

Hi all, thanks for any help in advance, this is driving me insane.

I'll post some logs, then some info.

Tom Giokas - 06-11-10 16:40:42.34 Service Pack 2
ComboFix 06.11.9 - Running from: "C:\Documents and Settings\Tom Giokas\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-10-10 to 2006-11-10 ))))))))))))))))))))))))))))))))))


2006-11-08 18:47 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-11-08 17:47 1,492 --a------ C:\WINDOWSvundofix.reg
2006-11-07 22:45 110,612 --a------ C:\WINDOWS\system32\bsivtwwl.exe
2006-11-07 22:42 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2006-11-07 20:13 59,392 --a------ C:\WINDOWS\system32\drvsah.dll
2006-11-07 20:13 40,973 ---hs---- C:\WINDOWS\system32\rqrqnoo.dll
2006-10-23 18:40 2 --a------ C:\WINDOWS\system32\Dvbpws.dll
2006-10-23 18:24 15,360 --a------ C:\WINDOWS\system32\drivers\MPE.sys
2006-10-23 18:23 85,376 --a------ C:\WINDOWS\system32\drivers\NABTSFEC.sys
2006-10-23 18:23 53,760 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2006-10-23 18:23 53,760 --a------ C:\WINDOWS\system32\drivers\vfwwdm32.dll
2006-10-23 18:23 5,504 --a------ C:\WINDOWS\system32\drivers\MSTEE.sys
2006-10-23 18:23 363,520 --a------ C:\WINDOWS\system32\PsisDecd.dll
2006-10-23 18:23 19,328 --a------ C:\WINDOWS\system32\drivers\WSTCODEC.SYS
2006-10-23 18:23 17,024 --a------ C:\WINDOWS\system32\drivers\CCDECODE.sys
2006-10-23 18:23 15,360 --a------ C:\WINDOWS\system32\drivers\StreamIP.sys
2006-10-23 18:23 11,776 --a------ C:\WINDOWS\system32\drivers\BdaSup.sys
2006-10-23 18:23 11,136 --a------ C:\WINDOWS\system32\drivers\SLIP.sys
2006-10-23 18:23 10,880 --a------ C:\WINDOWS\system32\drivers\NdisIP.sys
2006-10-23 18:22 21,248 --a------ C:\WINDOWS\system32\drivers\wfcxdtun.sys
2006-10-23 18:22 167,296 --a------ C:\WINDOWS\system32\drivers\wfcxvcap.sys
2006-10-23 18:22 15,872 --a------ C:\WINDOWS\system32\drivers\wfcxtcap.sys
2006-10-23 18:22 10,368 --a------ C:\WINDOWS\system32\drivers\wfcxxbar.sys
2006-10-23 18:20 9,600 --a------ C:\WINDOWS\system32\drivers\WINFOXIO.sys
2006-10-19 17:19 36,734 --a------ C:\WINDOWS\system32\OggDSuninst.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-10 16:37 -------- d-------- C:\Program Files\Security Task Manager
2006-11-10 16:35 -------- d-------- C:\Program Files\Mozilla Firefox
2006-11-10 16:33 0 --a------ C:\AUTOEXEC.BAT
2006-11-09 12:21 -------- d-------- C:\Program Files\MSN Messenger
2006-11-09 12:19 -------- d-------- C:\Program Files\Microsoft IntelliType Pro
2006-11-09 12:19 -------- d-------- C:\Program Files\Microsoft IntelliPoint
2006-11-09 12:17 -------- d-------- C:\Program Files\Internet Explorer
2006-11-09 00:30 -------- d-------- C:\Program Files\Steam
2006-11-08 20:30 -------- d-------- C:\Program Files\VSAdd-in
2006-11-08 18:47 -------- d-------- C:\Program Files\Grisoft
2006-11-08 16:23 -------- d-------- C:\Program Files\mIRC
2006-11-08 15:34 -------- d-------- C:\Documents and Settings\Tom Giokas\Application Data\AdobeUM
2006-11-07 21:48 -------- d-------- C:\Program Files\Common Files
2006-11-07 20:34 -------- d-------- C:\Program Files\Lavasoft
2006-11-07 20:34 -------- d-------- C:\Documents and Settings\Tom Giokas\Application Data\Lavasoft
2006-11-07 20:11 -------- d-------- C:\Program Files\Traction Software
2006-11-07 20:10 -------- d-------- C:\Documents and Settings\Tom Giokas\Application Data\Azureus
2006-11-05 23:25 -------- d-------- C:\Program Files\Windows Live Safety Center
2006-10-31 12:22 -------- d-------- C:\Program Files\Java
2006-10-27 23:11 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-10-27 23:06 -------- d-------- C:\Program Files\EA Games
2006-10-23 18:40 -------- d-------- C:\Documents and Settings\Tom Giokas\Application Data\InterVideo
2006-10-23 18:30 -------- d-------- C:\Program Files\WinFast
2006-10-17 01:00 -------- d-------- C:\Program Files\PokerStars
2006-10-14 17:21 952 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2006-10-08 01:18 -------- d-------- C:\Program Files\Google
2006-10-08 00:36 -------- d-------- C:\Documents and Settings\Tom Giokas\Application Data\Google
2006-10-07 23:19 -------- d-------- C:\Program Files\Direct KiSS
2006-10-07 02:56 -------- d-------- C:\Documents and Settings\Tom Giokas\Application Data\Help
2006-09-27 17:12 31248 --a------ C:\WINDOWS\system32\drivers\tmpreflt.sys
2006-09-27 17:12 197648 --a------ C:\WINDOWS\system32\drivers\TmXPFlt.sys
2006-09-27 17:12 1051456 --a------ C:\WINDOWS\system32\drivers\VSAPINT.SYS
2006-09-24 13:01 379 --a------ C:\Documents and Settings\Tom Giokas\Application Data\AutoGK.ini
2006-09-23 23:54 -------- d-------- C:\Program Files\LimeWire
2006-09-22 23:15 34528 --a------ C:\WINDOWS\system32\drivers\Pcouffin.sys
2006-09-19 16:45 -------- d---s---- C:\Documents and Settings\Tom Giokas\Application Data\Microsoft
2006-09-17 16:38 -------- d-------- C:\Program Files\SubViewer
2006-09-11 22:58 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-08-23 13:11 307200 --a------ C:\WINDOWS\system32\atiiiexx.dll
2006-08-23 12:53 260096 --a------ C:\WINDOWS\system32\ati2dvag.dll
2006-08-23 12:47 114688 --a------ C:\WINDOWS\system32\atipdlxx.dll
2006-08-23 12:46 86016 --a------ C:\WINDOWS\system32\ati2evxx.dll
2006-08-23 12:46 77824 --a------ C:\WINDOWS\system32\Oemdspif.dll
2006-08-23 12:46 41984 --a------ C:\WINDOWS\system32\ati2edxx.dll
2006-08-23 12:46 26112 --a------ C:\WINDOWS\system32\Ati2mdxx.exe
2006-08-23 12:45 413696 --a------ C:\WINDOWS\system32\ati2evxx.exe
2006-08-23 12:44 53248 --a------ C:\WINDOWS\system32\ATIDDC.DLL
2006-08-23 12:38 2401984 --a------ C:\WINDOWS\system32\ati3duag.dll
2006-08-23 12:33 303104 --a------ C:\WINDOWS\system32\ATIDEMGR.dll
2006-08-23 12:33 2510752 --a------ C:\WINDOWS\system32\ativvaxx.dll
2006-08-23 12:27 6684672 --a------ C:\WINDOWS\system32\atioglx1.dll
2006-08-23 12:24 5140480 --a------ C:\WINDOWS\system32\atioglxx.dll
2006-08-23 12:21 221184 --a------ C:\WINDOWS\system32\atikvmag.dll
2006-08-23 12:19 17408 --a------ C:\WINDOWS\system32\atitvo32.dll
2006-08-23 12:14 290816 --a------ C:\WINDOWS\system32\ati2cqag.dll
2006-08-22 22:05 520192 --------- C:\WINDOWS\system32\ati2sgag.exe
2006-08-22 19:45 43668 --a------ C:\WINDOWS\system32\xvid-uninstall.exe
2006-08-21 23:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 20:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Steam"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Ptipbmf"="rundll32.exe ptipbmf.dll,SetWriteCacheMode"
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"PHIME2002ASync"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"SoundMAXPnP"="C:\\Program Files\\Analog Devices\\SoundMAX\\SMax4PNP.exe"
"SoundMAX"="\"C:\\Program Files\\Analog Devices\\SoundMAX\\Smax4.exe\" /tray"
"PRONoMgr.exe"="C:\\Program Files\\Intel\\NCS\\PROSet\\PRONoMgr.exe"
"ASUS Probe"="C:\\Program Files\\ASUS\\Probe\\AsusProb.exe"
"pccguide.exe"="\"C:\\Program Files\\Trend Micro\\PC-cillin 2003\\pccguide.exe\""
"PCCClient.exe"="\"C:\\Program Files\\Trend Micro\\PC-cillin 2003\\PCCClient.exe\""
"Pop3trap.exe"="\"C:\\Program Files\\Trend Micro\\PC-cillin 2003\\Pop3trap.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"itype"="\"C:\\Program Files\\Microsoft IntelliType Pro\\itype.exe\""
"IntelliPoint"="\"C:\\Program Files\\Microsoft IntelliPoint\\ipoint.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"NWEReboot"=""
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"InCD"="C:\\Program Files\\Nero\\Nero 7\\InCD\\InCD.exe"
"HydraVisionDesktopManager"="C:\\Program Files\\ATI Technologies\\ATI HYDRAVISION\\HydraDM.exe"
"HydraVisionViewport"="C:\\Program Files\\ATI Technologies\\ATI HYDRAVISION\\HydraMD.exe"
"WinFastDTV"="C:\\Program Files\\WinFast\\WFDTV\\DTVSchdl.exe"
"WinFast Schedule"="C:\\Program Files\\WinFast\\WFDTV\\WFWIZ.exe"
"CTDrive"="rundll32.exe C:\\WINDOWS\\system32\\drvsah.dll,startup"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
"Flag"=dword:00000002

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000004

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,01,00,00,00,00,00,00,34,03,00,00,00,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,4b,00,00,00,00,00,00,00,b5,04,00,00,e2,03,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,50,01,00,00,6b,01,00,00,20,01,00,00,2c,01,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: 06-11-10 16:41:30.79
C:\ComboFix.txt ... 06-11-10 16:41
C:\ComboFix2.txt ... 06-11-07 21:50

Logfile of HijackThis v1.99.1
Scan saved at 4:45:19 PM, on 10/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Trend Micro\PC-cillin 2003\Tmntsrv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe
C:\Program Files\Trend Micro\PC-cillin 2003\PccPfw.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraMD.exe
C:\Program Files\WinFast\WFDTV\DTVSchdl.exe
C:\Program Files\WinFast\WFDTV\WFWIZ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Tom Giokas\Desktop\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://windowsupdate.microsoft.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
O4 - HKLM\..\Run: [HydraVisionViewport] C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraMD.exe
O4 - HKLM\..\Run: [WinFastDTV] C:\Program Files\WinFast\WFDTV\DTVSchdl.exe
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFDTV\WFWIZ.exe
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvsah.dll,startup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open Client to monitor &1 - C:\WINDOWS\web\AOpenClient.htm
O8 - Extra context menu item: Open Client to monitor &2 - C:\WINDOWS\web\AOpenClient.htm
O8 - Extra context menu item: Open Client to monitor &3 - C:\WINDOWS\web\AOpenClient.htm
O8 - Extra context menu item: Open Client to monitor &4 - C:\WINDOWS\web\AOpenClient.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1153394269024
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: PC-cillin Personal Firewall (PccPfw) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\PC-cillin 2003\PccPfw.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\PC-cillin 2003\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe


I've tried adaware, spybot search and destroy, and SmitfraudFix. Originally it was that Virusburtsers, but that's gone now. What's left is an annoying little task tray icon saying I have spyware (red sphere with yellow '!').

I tried doing Trend micro housecall - when it finishes my web browser mysteriously closes. It's worked in the past..

Panda finds heaps of spyware, trojans etc. but won't tell me anything about them, then crashes.

I have pccillain 2003 running, didn't originally have firewall on (oops, accidentally left it off), but it's on now (bit late..)

Anyway hopefully that can help some smart person help me..

Some random things I'm running include a Wacom tablet, Winfast TV tuner card, ATI graphics card (two of them), multiple monitors, Asus probe.

Thanks in advance!

BC AdBot (Login to Remove)

 


m

#2 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 10 November 2006 - 06:48 AM

Hi EvilTom and Welcome to the Bleeping Computer!


Please get the file below scanned Here

C:\WINDOWS\system32\Dvbpws.dll

Save any results to notepad and post them in the next reply,please.


Open HijackThis-> Click "Do a System Scan Only" and put a check by these but DO NOT hit the Fix Checked button yet

O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvsah.dll,startup

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button
  • Double-click VundoFix.exe to run it again.
  • Right Click inside the listbox (white box) and click add more files
  • Copy&Paste the entries below into the open boxes
    • C:\WINDOWS\system32\bsivtwwl.exe
    • C:\WINDOWS\system32\drvsah.dll
    • C:\WINDOWS\system32\rqrqnoo.dll
  • Click Add Files and Click Close Window
  • Click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.

In this case, VundoFix will run on reboot,allow the computer to reboot and VundoFix to load.

Just add the very same files as before and Click Remove Vundo.

#3 EvilTom

EvilTom
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  

Posted 10 November 2006 - 10:09 AM

Woot! It seems to have worked! Thanks muchly!

C:\WINDOWS\system32\Dvbpws.dll - was clean

Logfile of HijackThis v1.99.1
Scan saved at 2:04:16 AM, on 11/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraMD.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\WinFast\WFDTV\DTVSchdl.exe
C:\Program Files\WinFast\WFDTV\WFWIZ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Trend Micro\PC-cillin 2003\Tmntsrv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe
C:\Program Files\Trend Micro\PC-cillin 2003\PccPfw.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Tom Giokas\Desktop\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://windowsupdate.microsoft.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
O4 - HKLM\..\Run: [HydraVisionViewport] C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraMD.exe
O4 - HKLM\..\Run: [WinFastDTV] C:\Program Files\WinFast\WFDTV\DTVSchdl.exe
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFDTV\WFWIZ.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open Client to monitor &1 - C:\WINDOWS\web\AOpenClient.htm
O8 - Extra context menu item: Open Client to monitor &2 - C:\WINDOWS\web\AOpenClient.htm
O8 - Extra context menu item: Open Client to monitor &3 - C:\WINDOWS\web\AOpenClient.htm
O8 - Extra context menu item: Open Client to monitor &4 - C:\WINDOWS\web\AOpenClient.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1153394269024
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: PC-cillin Personal Firewall (PccPfw) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\PC-cillin 2003\PccPfw.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\PC-cillin 2003\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe


VundoFix V6.2.8

Checking Java version...

Java version is 1.5.0.6

Java version is 1.5.0.9

Scan started at 5:43:35 PM 8/11/2006

Listing files found while scanning....

C:\WINDOWS\system32\wfzspwg.dll
C:\WINDOWS\system32\wingdm32.dll
C:\WINDOWS\system32\ylbmvlj.dll
C:\WINDOWS\system32\gebyw.dll
C:\WINDOWS\system32\wybeg.ini
C:\WINDOWS\system32\wybeg.bak1

Beginning removal...

Attempting to delete C:\WINDOWS\system32\wfzspwg.dll
C:\WINDOWS\system32\wfzspwg.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\wingdm32.dll
C:\WINDOWS\system32\wingdm32.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ylbmvlj.dll
C:\WINDOWS\system32\ylbmvlj.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\gebyw.dll
C:\WINDOWS\system32\gebyw.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\wybeg.ini
C:\WINDOWS\system32\wybeg.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\wybeg.bak1
C:\WINDOWS\system32\wybeg.bak1 Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.2.8

Checking Java version...

Java version is 1.5.0.6

Java version is 1.5.0.9

Scan started at 5:49:52 PM 8/11/2006

Listing files found while scanning....

No infected files were found.


Beginning removal...

Attempting to delete C:\WINDOWS\system32\bsivtwwl.exe
C:\WINDOWS\system32\bsivtwwl.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\drvsah.dll
C:\WINDOWS\system32\drvsah.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\rqrqnoo.dll
C:\WINDOWS\system32\rqrqnoo.dll Has been deleted!

Performing Repairs to the registry.
Done!


Thanks again :D

#4 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 10 November 2006 - 10:59 AM

C:\WINDOWS\system32\Dvbpws.dll - was clean

:thumbsup:

If you will,find that file then right click on it and select properties.

See if you can associate the file with anything you have on the PC?


Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!
  • Follow the Instruction on the F-Secure page for proper installation.
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.

Edited by Cretemonster, 10 November 2006 - 11:00 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users